[cabfpub] Questions about [70] EV Code Signing Identifier
Rick Andrews
Rick_Andrews at symantec.com
Fri Jun 8 13:34:53 MST 2012
One more thing: The guidelines currently contain this:
9.2.2 Subject Alternative Name Extension
This field should not be included in the EV Code Signing Objects.
Which I presume should be removed or revised.
-Rick
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rick Andrews
Sent: Friday, June 08, 2012 11:36 AM
To: public at cabforum.org
Subject: [cabfpub] Questions about [70] EV Code Signing Identifier
I have a few questions about this ballot. I apologize for not bringing this up during the review period, but you often don't see things until you're trying to implement...
First of all, I haven't been able to find a concise list on the wiki of what is the current status of each ballot. I assume someone maintains that list, but it would be nice to see it on one page.
Secondly, a few questions have come up about the construction of the permanentIdentifier. Here's the current text:
"(B) the Certificate MUST include a SubjectAltName:permanentIdentifier which MUST contain the following:
"(1) The ISO 3166-2 country code in uppercase characters corresponding to the Subject's Jurisdiction of Incorporation or Registration (CC), as specified in the subject:jurisdictionOfIncorporationCountryName field;
"(2) If applicable, the state, province, or locality of the Subject's Jurisdiction of Incorporation in uppercase characters as specified in the subjectjurisdictionOfIncorporationLocalityName or subject:jurisdictionofIncorporationStateorProvinceName field, expressed in an unabbreviated format (STATE); and
"(3) The first one of the following that applies: a. The Registration Number as included in the Subject:serialNumber field (REG), b. A date of Incorporation or Registration in YYYY-MM-DD format (DATE) and the Subject's Organization Name as included in the organizationName field (ORG), c. A verifiable date of creation in YYYY-MM-DD format (DATE) and the Subject's Organization Name as included in the organizationName field (ORG), or d. The Subject's Organization Name as included in the organizationName field (ORG).
"The CA SHALL format data in the SubjectAltName:permanentIdentifier extension using Unicode as follows: CC-STATE (if applicable)- REG or DATE (if available)-ORG (if REG is not present). Characters representing the organization name MUST be uppercase Unicode. Any included "-" characters MUST be Unicode 002D and any included spaces in REG, STATE, or ORG MUST be Unicode 0020. A CA MAY truncate or abbreviate an organization name included in this field to ensure that the combination does not exceed 64 characters provided that the CA checks this field in accordance with section 10.11.1 and a Relying Party will not be misled into thinking that they are dealing with a different organization. If this is not possible, the CA MUST NOT issue the EV Code Signing Certificate.
1. Since the STATE part is "if applicable", what happens if the STATE is not applicable? Is the permanentIdentifier "CC--REG or DATE"?
2. Can a State or Province include a hyphen? If so, I would expect it would need to be escaped somehow so as not to be interpreted as a delimiter.
3. Same question about Org, except that I know that Orgs can contain hyphens (e.g., "Hewlett-Packard").
4. We don't understand the need to allow the CA to truncate so the combination doesn't exceed 64 characters. That's the max length of DN components, but this is an extension. If the intent is to insure that any CA would come up with the same combination for a given organization, this seems to allow for variability that will cause incompatibilities.
-Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/public/attachments/20120608/a150f87d/attachment.html
More information about the Public
mailing list